Key sharing system, public key cryptosystem, signature system, key sharing apparatus, encryption apparatus, decryption apparatus, signature apparatus, authentication apparatus, key sharing method, encryption method, decryption method, signature method, authentication method, and programs

ABSTRACT

A key sharing system is disclosed which uses a public key XεGF(n) (2≦X&lt;n) which belongs to a Galois finite field GF(n) for an integer n (n≧2), and a polynomial T(•, •) defined in GF(n) by T(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined by S(a, cos θ)=cos(aθ) where a is an integer (a≧2). In a key sharing apparatus of this system, an integer obtaining unit obtains an integer p (2≦p&lt;n), a transmission key calculation unit calculates a transmission key YεGF(n) using the integer p based on Y=T(p, X), a transmission key sending unit sends the transmission key Y to another key sharing apparatus, a transmission key reception unit receives a transmission key W from another key sharing apparatus, and a common key calculation unit calculates a common key ZεGF(n) using the transmission key W based on Z=T(p, W).

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a key sharing system, a public keycryptosystem, a signature system, a key sharing apparatus, an encryptionapparatus, a decryption apparatus, a signature apparatus, anauthentication apparatus, a key sharing method, an encryption method, adecryption method, a signature method, an authentication method, andprograms for controlling computers to act as the above apparatuses.

2. Description of the Related Art

Conventionally, key cryptosystems employing a public key and a secretkey have been used. Now that security for data communications is morehighly required, such public key cryptosystems are attracting more andmore attention. Signature systems for attaching a signature to messagesto be transmitted, are also becoming popular.

In addition, since encryption using a public key plus decryption using asecret key requires a large amount of calculations, an alternativemethod of encrypting a message with a common key, encrypting this commonkey with a public key, and sending the message together with both thekeys, and decrypting the encrypted common key with a secret key on thereceiver-side, so as to decrypt the message using the decrypted commonkey, is also widely used.

With today's growing awareness of security, it is more demanded that keysharing systems, public key cryptosystems, and signature systems realizea system that needs only a small amount of calculations in encryptionand decryption, while keeping high security.

The present invention has been made to solve the above problem, and itis an object of the present invention to provide a key sharing system, apublic key cryptosystem, a signature system, a key sharing apparatus, anencryption apparatus, a decryption apparatus, a signature apparatus, anauthentication apparatus, a key sharing method, an encryption method, adecryption method, a signature method, an authentication method, andprograms for controlling computers to act as the above apparatuses.

SUMMARY OF THE INVENTION

To accomplish the above object, the following invention will bedisclosed, in accordance with the principle of this invention.

A key sharing system according to a first aspect of the presentinvention enables a first key sharing apparatus and a second key sharingapparatus to share a key, using a public key XεGF(n) which belongs to aGalois finite field GF(n) for an integer n (n≧2), and which is equal toor larger than 2 and smaller than n, and a polynomial T(•, •) which isdefined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), wherein:

-   -   (a) the first key sharing apparatus comprises        -   an integer obtaining unit which obtains an integer p which            is equal to or larger than 2, and smaller than n,        -   a transmission key calculation unit which calculates a            transmission key YεGF(n) using the obtained integer p based            on the following equation            Y=T(p, X), and        -   a transmission key sending unit which sends the calculated            transmission key Y to the second key sharing apparatus;    -   (b) the second key sharing apparatus comprises        -   an integer obtaining unit which obtains an integer q which            is equal to or larger than 2, and smaller than n,        -   a transmission key calculation unit which calculates a            transmission key WεGF(n) using the obtained integer q based            on the following equation            W=T(q, X), and        -   a transmission key sending unit which sends the calculated            transmission key W to the first key sharing apparatus;    -   (c) the first key sharing apparatus further comprises        -   a transmission key reception unit which receives the            transmission key W sent from the second key sharing            apparatus, and        -   a common key calculation unit which calculates a common key            ZεGF(n) using the received transmission key W based on the            following equation            Z=T(p, W); and    -   (d) the second key sharing apparatus further comprises        -   a transmission key reception unit which receives the            transmission key Y sent from the first key sharing            apparatus, and        -   a common key calculation unit which calculates a common key            Z′εGF(n) using the received transmission key Y based on the            following equation            Z′=T(q, Y).

The first key sharing apparatus may further comprise:

-   -   an encryption unit which encrypts a message to be transmitted        using the calculated common key Z to obtain an encrypted        message; and    -   an encrypted message sending unit which sends the encrypted        message to the second key sharing apparatus.

The second key sharing apparatus may further comprise:

-   -   an encrypted message reception unit which receives the encrypted        message sent from the first key sharing apparatus; and    -   a decryption unit which decrypts the received encrypted message        using the calculated common key Z′ to obtain the message to be        transmitted.

A key sharing system according to a second aspect of the presentinvention enables a key to be shared among N (N≧2) number of key sharingapparatuses M₀, M₁, . . . , M_(N−1), using a public key XεGF(n) whichbelongs to a Galois finite field GF(n) for an integer n (n≧2), and whichis equal to or larger than 2 and smaller than n, and a polynomial T(•,•) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2),wherein the key sharing apparatus M_(i) (0≦i≦N−1) comprises:

-   -   an integer obtaining unit which obtains an integer p_(i) which        is equal to or larger than 2 and smaller than n;    -   an initial transmission key calculation unit which calculates a        transmission key Y_(i) using the obtained integer p_(i) based on        the following equation        Y _(i) =T(p _(i) , X);    -   an initial transmission key sending unit which sends the        calculated transmission key Y_(i) and polynomial application        information representing that only the key sharing apparatus        M_(i) applies the polynomial to obtain the transmission key        Y_(i), to another key sharing apparatus among the plurality of        key sharing apparatuses;    -   a transmission key reception unit which receives a transmission        key W_(i)εGF(n) and polynomial application information regarding        the transmission key W_(i)εGF(n), from another key sharing        apparatus among the plurality of key sharing apparatuses;    -   a common key calculation unit which calculates a common key        Z_(i) using the obtained integer p_(i) and the received        transmission key W_(i) based on the following equation        Z _(i) =T(p_(i) , W _(i)),        in a case where the received polynomial application information        represents that all the key sharing apparatuses among the        plurality of key sharing apparatuses except the key sharing        apparatus M_(i) have applied the polynomial;    -   an intermediate transmission key calculation unit which        calculates a transmission key V_(i) using the obtained integer        p_(i) and the received transmission key W_(i) based on the        following equation        V _(i) =T(p _(i) , W _(i)),        in a case where the received polynomial information does not        represent so; and    -   an intermediate transmission key sending unit which sends the        calculated transmission key V_(i) and the received polynomial        application information to which information representing that        the key sharing apparatus M_(i) has applied the polynomial is        added, to another key sharing apparatus among the plurality of        key sharing apparatus.

Each of the initial transmission key sending unit and intermediatetransmission key sending unit of the key sharing apparatus M_(i) sendsthe transmission key and the polynomial application information to a keysharing apparatus M_((i+1)mod N).

The transmission key reception unit of the key sharing apparatus M_(i)receives the transmission key and the polynomial application informationfrom a key sharing apparatus M_((i−1)mod N).

Among the plurality of key sharing apparatuses:

-   -   a key sharing apparatus M_(s) (0≦s≦N−1) may further comprise        -   an encryption unit which encrypts a message to be            transmitted using the calculated common key Z_(s) to obtain            an encrypted message, and        -   an encrypted message sending unit which sends the encrypted            message to the key sharing apparatus M_(t); and    -   a key sharing apparatus M_(t) (0≦t≦N−1, t≠s) may further        comprise        -   an encrypted message reception unit which receives the            encrypted message sent from the key sharing apparatus M_(s),            and        -   a decryption unit which decrypts the received encrypted            message using the calculated common key Z_(t) to obtain the            message to be transmitted.

In the above key sharing systems, the integer n is defined asn=c^(m)where c is a prime number, and m is an integer equal to or larger than2.

A public key cryptosystem according to a third aspect of the presentinvention is a cryptosystem in which an encryption apparatus sends amessage to a decryption apparatus, using a public key XεGF(n) whichbelongs to a Galois finite field GF(n) for an integer n (n≧2), and whichis equal to or larger than 2 and smaller than n, and a polynomial T(•,•) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cosθ)=cos(aθ)where a is an integer (a≧2), wherein:

-   -   (a) the decryption apparatus comprises        -   a secret key obtaining unit which obtains a secret key p            which is an integer equal to or larger than 2,        -   a natural number obtaining unit which obtains a natural            number k which is prime to “p−1” (where p is the obtained            secret key) and equal to or larger than 2,        -   a public key calculation unit which calculates a public key            YεGF(n) using the secret key p and the public key X based on            the following equation            Y=T(p, X), and        -   a public key disclosing unit which discloses the natural            number k and the public key Y to the encryption apparatus;    -   (b) the encryption apparatus comprises        -   a public key reception unit which receives the natural            number k and the public key Y disclosed by the decryption            unit,        -   an encryption unit which calculates an encrypted message            (a, b) using a message mεGF(n) based on the following            equations            a=T(k, X)            b=mT(k, Y)mod n, and        -   an encrypted message sending unit which sends the encrypted            message (a, b) to the decryption apparatus; and    -   (c) the decryption apparatus further comprises        -   an encrypted message reception unit which receives the            encrypted message (a, b) sent from the encryption apparatus,            and        -   a decryption unit which calculates a message m′εGF(n) using            the secret key p and the received encrypted message (a, b)            based on the following equation            m′=b/T(p, a)mod n.

The encryption apparatus may further comprise:

-   -   a message reception unit which receives a message M to be        transmitted; and    -   a hash calculation unit which obtains the message m, using the        received message M and a hash function H(•) for mapping the        message M over GF(n) based on the following equation        m=H(M).

The decryption unit may further comprise a message obtaining unit whichobtains a message M′ to be transmitted, using the obtained message m′and an inverse function H⁻¹(•) of the hash function H(•) based on thefollowing equationM′=H ⁻¹(m′).

A signature system according to a fourth aspect of the present inventionis a system in which a signature apparatus sends a message to anauthentication apparatus, using a Galois finite field GF(n) for aninteger n (n≧2), a polynomial T(•, •) which is defined in the Galoisfinite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), and a lowest positive integer n* whichsatisfiesT(b+n*, U)=T(b, U)where b is an arbitrary positive integer, and U is an arbitrary integer(UεGF(n)), wherein:

-   -   (a) the signature apparatus comprises        -   an integer selection unit which selects an integer p            (2≦p<min(n*, n−1)), and an integer k (2≦k<min(n*, n−1),            k≠p),        -   a public key calculation unit which calculates a public key            YεGF(n) using the integer p, based on the following equation            Y=T(p, X),        -   a public key disclosing unit which discloses the public key            Y to the authentication apparatus,        -   a signature unit which calculates a signature-affixed            message (r, s, m) using a message mεGF(n), based on the            following equations            r=T(k, X)            s=(m+pr)/k mod n, and        -   a signature-affixed message sending unit which sends the            signature-affixed message (r, s, m) to the authentication            apparatus; and    -   (b) the authentication apparatus comprises        -   a public key reception unit which receives the public key Y            disclosed by the signature apparatus,        -   a signature-affixed message reception unit which receives            the signature-affixed message (r, s, m) sent from the            signature apparatus,        -   a parameter calculation unit which calculates the following            parameters            w=1/s mod n*            u ₁ =mw mod n*            u ₂ =rw mod n*            v=T(u ₁ +u ₂ , Y)            using the received public key Y and the received            signature-affixed message (r, s, m), and    -   an authentication unit which authenticates the signature-affixed        message (r, s, m), in a case where it is satisfied that r=v (v        is the calculated parameter, and r is an element of the        signature-affixed message (r, s, m)).

In the signature apparatus, in a case where the value s calculated bythe signature unit is equal to 0, the integer selection unit reselectsanother integer as the integer k.

The signature apparatus may further comprise:

-   -   a message reception unit which receives a message M to be        transmitted; and    -   a hash calculation unit which obtains the message m, using the        received message M, and a hash function H(•) for mapping the        message M over GF(n), based on the following equation        m=H(M).

The authentication apparatus may further comprise a message obtainingunit which obtains the message M to be transmitted, using thesignature-affixed message (r, s, m), and an inverse function H⁻¹(•) ofthe hash function H(•), based on the following equationM=H ⁻¹(m).

A key sharing apparatus according to a fifth aspect of the presentinvention is the first key sharing apparatus employed in the key sharingsystem according to the first aspect of the present invention.

A key sharing apparatus according to a sixth aspect of the presentinvention is the second key sharing apparatus employed in the keysharing system according to the first aspect of the present invention.

A key sharing apparatus according to a seventh aspect of the presentinvention is the key sharing apparatus employed in the key sharingsystem according to the second aspect of the present invention.

An encryption apparatus according to an eighth aspect of the presentinvention is the encryption apparatus employed in the public keycryptosystem according to the third aspect of the present invention.

A decryption apparatus according to a ninth aspect of the presentinvention is the decryption apparatus employed in the public keycryptosystem according to the third aspect of the present invention.

A signature apparatus according to a tenth aspect of the presentinvention is the signature apparatus employed in the signature systemaccording to the fourth aspect of the present invention.

An authentication apparatus according to an eleventh aspect of thepresent invention is the authentication apparatus employed in thesignature system according to the fourth aspect of the presentinvention.

A key sharing method according to a twelfth aspect of the presentinvention is a method which uses a public key XεGF(n) which belongs to aGalois finite field GF(n) for an integer n (n≧2), and which is equal toor larger than 2 and smaller than n, and a polynomial T(•, •) which isdefined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•,•) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), the method comprising:

-   -   an integer obtaining step of obtaining an integer p which is        equal to or larger than 2, and smaller than n;    -   a transmission key calculating step of calculating a        transmission key YεGF(n) using the obtained integer p, based on        the following equation        Y=T(p, X);    -   a transmission key sending step of sending the calculated        transmission key Y to another key sharing apparatus;    -   a transmission key receiving step of receiving a transmission        key W sent from the “another” key sharing apparatus; and    -   a common key calculating step of calculating a common key        ZεGF(n) using the received transmission key W, based on the        following equation        Z=T(p, W).

A key sharing method to be described below forms a combination with theabove key sharing method, and uses a public key XεGF(n) which belongs toa Galois finite field GF(n) for an integer n (n≧2), and which is equalto or larger than 2 and smaller than n, and a polynomial T(•, •) whichis defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), the method comprising:

-   -   an integer obtaining step of obtaining an integer q which is        equal to or larger than 2, and smaller than n;    -   a transmission key calculating step of calculating a        transmission key WεGF(n) using the obtained integer q, based on        the following equation        W=T(q, X);    -   a transmission key sending step of sending the calculated        transmission key W to another key sharing apparatus;    -   a transmission key receiving step of receiving a transmission        key Y sent from the “another” key sharing apparatus; and    -   a common key calculating step of calculating a common key        Z′εGF(n) using the received transmission key Y, based on the        following equation        Z′=T(q, Y).

The key sharing method may further comprise:

-   -   a encrypting step of encrypting a message to be transmitted        using the calculated common key Z, to obtain an encrypted        message; and    -   an encrypted message sending step of sending the encrypted        message to the “another” key sharing apparatus.

The key sharing method may further comprise:

-   -   an encrypted message receiving step of receiving an encrypted        message sent from the “another” key sharing apparatus; and    -   a decrypting step of decrypting the received encrypted message        using the calculated common key Z′, to obtain a message to be        transmitted.

A key sharing method according to a thirteenth aspect of the presentinvention is a method [1] which enables a key to be shared among N (N≧2)number of key sharing apparatuses M₀, M₁, . . . , M_(N−1), with the useof a public key XεGF(n) which belongs to a Galois finite field GF(n) foran integer n (n≧2), and which is equal to or larger than 2 and smallerthan n, and a polynomial T(•, •) which is defined in the Galois finitefield GF(n) byi T(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), and [2] which is performed by the keysharing apparatus M_(i) (0≦i≦N−1), the method comprising:

-   -   an integer obtaining step of obtaining an integer p_(i) which is        equal to or larger than 2, and smaller than n;    -   an initial transmission key calculating step of calculating a        transmission key Y_(i), using the obtained integer p_(i), based        on the following equation        Y _(i) =T(p _(i) , X);    -   an initial transmission key sending step of sending the        calculated transmission key Y_(i), and polynomial application        information representing that only the key sharing apparatus        M_(i) has applied the polynomial to calculate the transmission        key Y_(i), to another key sharing apparatus among the plurality        of key sharing apparatuses;    -   a transmission key receiving step of receiving a transmission        key W_(i)εGF(n) and polynomial application information regarding        the transmission key W_(i)εGF(n), from another key sharing        apparatus among the plurality of key sharing apparatuses    -   a common key calculating step of calculating a common key Z_(i),        using the obtained integer p_(i) and the received transmission        key W_(i), based on the following equation        Z _(i) =T(p _(i) , W _(i))        in a case where the received polynomial application information        represents that all the key sharing apparatuses among the        plurality of key sharing apparatuses except the key sharing        apparatus M_(i) have applied the polynomial;    -   an intermediate transmission key calculating step of calculating        a transmission key V_(i), using the obtained integer p_(i) and        the received transmission key W_(i), based on the following        equation        V _(i) =T(p _(i) , W _(i))        in a case where the received polynomial application information        does not represent so; and    -   an intermediate transmission key sending step of sending the        calculated transmission key V_(i) and the received polynomial        application information to which information representing that        the key sharing apparatus M_(i) has applied the polynomial is        added, to another key sharing apparatus among the plurality of        key sharing apparatus.

In each of the initial transmission key sending step and intermediatetransmission key sending step, the transmission key and the polynomialapplication information are sent to a key sharing apparatusM_((i+l)mod N).

In the transmission key receiving step, the transmission key and thepolynomial application information are received from a key sharingapparatus M_((i−l)mod N).

The key sharing method may be performed by a key sharing apparatus M_(s)(0≦s≦N−1) when a message is sent from the key sharing apparatus M_(s) toa key sharing apparatus M_(t) (0≦t≦N−1, t≠s) among the plurality of keysharing apparatuses, and may further comprise:

-   -   an encrypting step of encrypting a message to be transmitted        using the calculated common key Z_(s), to obtain an encrypted        message; and    -   an encrypted message sending step of sending the encrypted        message to the key sharing apparatus M_(t).

The key sharing method may be performed by a key sharing apparatus M_(t)(0≦t≦N−1) when a message is sent from a key sharing apparatus M_(s)(0≦s≦N−1, s≠t) to the key sharing apparatus M_(t) among the plurality ofkey sharing apparatuses, and may further comprise:

-   -   an encrypted message receiving step of receiving an encrypted        message sent from the key sharing apparatus M_(s); and    -   a decrypting step of decrypting the received encrypted message        using the calculated common key Z_(t), to obtain a message to be        transmitted.

In the above key sharing methods, the integer n may be defined asn=c^(m)where c is a prime number, and m is an integer equal to or larger than2.

An encryption method according to a fourteenth aspect of the presentinvention is a method using a public key XεGF(n) which belongs to aGalois finite field GF(n) for an integer n (n≧2), and which is equal toor larger than 2 and smaller than n, and a polynomial T(•, •) which isdefined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), the method comprising:

-   -   a public key receiving step of receiving a natural number k and        a public key Y which are disclosed by a decryption apparatus;    -   an encrypting step of calculating an encrypted message (a, b)        using a message mεGF(n), based on the following equations        a=T(k, X)        b=mT(k, Y)mod n; and    -   an encrypted message sending step of sending the encrypted        message (a, b) to the decryption apparatus.

The encryption method may further comprise:

-   -   a message receiving step of receiving a message M to be        transmitted; and    -   a hash calculating step of obtaining the message m, using the        received message M and a hash function H(•) for mapping the        message M over GF(n), based on the following equation        m=H(M).

A decryption method according to a fifteenth aspect of the presentinvention is a method using a public key XεGF(n) which belongs to aGalois finite field GF(n) for an integer n (n≧2), and which is equal toor larger than 2 and smaller than n, and a polynomial T(•, •) which isdefined in the Galois finite field GF(n) byT(a, x)±S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), the method comprising:

-   -   a secret key obtaining step of obtaining a secret key p which is        an integer equal to or larger than 2;    -   a natural number obtaining step of obtaining a natural number k        which is prime to p−1 (where p is the obtained secret key) and        equal to or larger than 2;    -   a public key calculating step of calculating a public key        YεGF(n) using the secret key p and the public key X, based on        the following equation        Y=T(p, X);    -   a public key disclosing step of disclosing the natural number k        and the public key Y to an encryption apparatus;    -   an encrypted message receiving step of receiving an encrypted        message (a, b) sent from the encryption apparatus; and    -   a decrypting step of calculating a message m′εGF(n), using the        secret key p and the received encrypted message (a, b), based on        the following equation        m′=b/T(p, a)mod n.

The decryption method may further comprise a message obtaining step ofobtaining a message M′ to be transmitted, using the calculated messagem′ and an inverse function H⁻¹(•) of a hash function H(•) which is usedby the encryption apparatus, based on the following equationM′=H ⁻¹(m′).

A signature method according to a sixteenth aspect of the presentinvention is a method using a Galois finite field GF(n) for an integer n(n≧2), a polynomial T(•, •) which is defined in the Galois finite fieldGF(n) byT(a, x)=S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), and a lowest positive integer n* whichsatisfiesT(b+n*, U)=T(b, U)where b is an arbitrary positive integer, and U is an arbitrary integer(UεGF(n)), the method comprising:

-   -   an integer selecting step of selecting an integer p (2≦p<min(n*,        n−1)) and an integer k (2≦k<min(n*, n−1), k≠p);    -   a public key calculating step of calculating a public key        YεGF(n), using the integer p, based on the following equation        Y=T(p, X);    -   a public key disclosing step of disclosing the public key Y to        an authentication apparatus;    -   a signature calculating step of calculating a signature-affixed        message (r, s, m) using a message mεGF(n), based on the        following equations        r=T(k, X)        s=(m+pr)/k mod n; and    -   a signature-affixed message sending step of sending the        signature-affixed message (r, s, m) to the authentication        apparatus.

In a case where the value s calculated in the signature calculating stepis equal to 0, another integer is reselected as the integer k in theinteger selecting step.

The signature method may further comprise:

-   -   a message receiving step of receiving a message M to be        transmitted; and    -   a hash calculating step of obtaining the message m, using the        received message M and a hash function H(•) for mapping the        message M over GF(n), based on the following equation        m=H(M).

An authentication method according to a seventeenth aspect of thepresent invention is a method using a Galois finite field GF(n) for aninteger n (n≧2), a polynomial T(•, •) which is defined in the Galoisfinite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2), and a lowest positive integer n* whichsatisfiesT(b+n*, U)=T(b, U)where b is an arbitrary positive integer, and U is an arbitrary integer(UεGF(n)), the method comprising:

-   -   a public key receiving step of receiving a public key Y        disclosed by a signature apparatus;    -   a signature-affixed message receiving step of receiving a        signature-affixed message (r, s, m) sent from the signature        apparatus;    -   a parameter calculating step of calculating the following        parameters        w=1/s mod n*        u ₁ =mw mod n*        u ₂ =rw mod n*        v=T(u ₁ +u ₂ , Y)        using the received public key Y and the received        signature-affixed message (r, s, m); and    -   an authenticating step of authenticating the signature-affixed        message (r, s, m), in a case where it is true that r=v (v is the        calculated parameter, and r is an element of the        signature-affixed message (r, s, m)).

The authentication method may further comprise a message obtaining stepof obtaining a message M to be transmitted, using the signature-affixedmessage (r, s, m) and an inverse function H⁻¹(•) of a hash function H(•)which is used by the signature apparatus, based on the followingequationM=H ⁻¹(m).

A program according to an eighteenth aspect of the present inventioncontrols a computer to function as the key sharing apparatus accordingto the fifth aspect of the present invention.

A program according to a nineteenth aspect of the present inventioncontrols a computer to function as the key sharing apparatus accordingto the sixth aspect of the present invention.

A program according to a twentieth aspect of the present inventioncontrols a computer to function as the key sharing apparatus accordingto the seventh aspect of the present invention.

A program according to a twenty-first aspect of the present inventioncontrols a computer to function as the encryption apparatus according tothe eighth aspect of the present invention.

A program according to a twenty-second aspect of the present inventioncontrols a computer to function as the decryption apparatus according tothe ninth aspect of the present invention.

A program according to a twenty-third aspect of the present inventioncontrols a computer to function as the signature apparatus according tothe tenth aspect of the present invention.

A program according to a twenty-fourth aspect of the present inventioncontrols a computer to function as the authentication apparatusaccording to the eleventh aspect of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

These objects and other objects and advantages of the present inventionwill become more apparent upon reading of the following detaileddescription and the accompanying drawings in which:

FIG. 1 is an exemplary diagram showing a schematic structure of a keysharing system according to a first embodiment of the present invention;

FIG. 2 is a graph showing a correspondence between values to besubstituted in a Chebyshev polynomial S(•, •) when it is used as afunction, and the resultant values of calculation;

FIG. 3 is a flowchart showing a flow of a process of a key sharingmethod performed by a first key sharing apparatus;

FIG. 4 is a flowchart showing a flow of a process of an encryptionmethod performed by the first key sharing apparatus;

FIG. 5 is a flowchart showing a flow of a process of a decryption methodperformed by a second key sharing apparatus;

FIG. 6 is an exemplary diagram showing a schematic structure of a keysharing apparatus M_(i) according to a second embodiment;

FIG. 7 is a flowchart showing a flow of a process of a key sharingmethod performed by the key sharing apparatus M_(i) according to thesecond embodiment;

FIG. 8 is an explanatory diagram for explaining transmission andreception of a transmission key, etc. according to the secondembodiment;

FIG. 9 is an exemplary diagram showing a schematic structure of a publickey cryptosystem according to a third embodiment;

FIG. 10 is a flowchart showing a flow of a process of a decryptionmethod performed by a decryption apparatus;

FIG. 11 is a flowchart showing a flow of a process of an encryptionmethod performed by an encryption apparatus;

FIG. 12 is an exemplary diagram showing a schematic structure of asignature system according to a fourth embodiment;

FIG. 13 is a flowchart showing a flow of a process of a signature methodperformed by a signature apparatus; and

FIG. 14 is a flowchart showing a flow of a process of an authenticationmethod performed by an authentication apparatus.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Embodiments of the present invention will now be explained. Theembodiments to be explained are for the sake of explanation, and notintended to limit the scope of the present invention. Accordingly, eventhough one with ordinary skill in the art can employ another embodimentwherein individual elements or all elements of the present invention arereplaced with equivalents of those, such embodiment is to be included inthe scope of the present invention.

First Embodiment

FIG. 1 is an exemplary diagram showing a schematic structure of a keysharing system according to a first embodiment of the present invention.The following explanation will be made with reference to this drawing.

A key sharing system 101 comprises a first key sharing apparatus 102 anda second key sharing apparatus 102 which share between them, a key usedfor encryption when transmitting a message, which will be describedlater.

Each key sharing apparatus 102 comprises an integer obtaining unit 103,a transmission key calculation unit 104, a transmission key sending unit105, a transmission key reception unit 106, and a common key calculationunit 107. Illustrated elements other than the above are to be describedlater.

The key sharing system 101 uses a public key XεGF(n) which belongs to aGalois finite field GF(n) for an integer n (n≧2), and which is equal toor larger than 2 and smaller than n, and a polynomial T(•, •) which isdefined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod nwhere S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ)where a is an integer (a≧2).

FIG. 2 is a graph showing correspondence between values to besubstituted in the Chebyshev polynomial S(•, •) when it is used as afunction, and the resultant values obtained by calculating the Chebyshevpolynomial. Specifically, the Chebyshev polynomial can be represented asthe following equations.S(1, x)=x;S(2, x)=2x ²−1;S(3, x)=4x ³−3x;S(4, x)=8x ⁴−8x ²−1;

Here, it is supposed that the Chebyshev polynomial S(•, •) is calculatedin the Galois finite field GF(n). The calculation result is referred toas T(•, •). A calculation using “mod” allows an overflow or underflowwhich occurs during the calculation to be ignored. Performing such acalculation just corresponds to performing the four basic arithmeticoperations in an ordinary computer.

As described, in the present embodiment, a necessary calculation can beperformed using an ordinary computer, or a dedicated calculationcircuit, etc. comprising an adder, a multiplier, etc.

FIG. 3 is a flowchart showing a flow of a process of a key sharingmethod carried out by the first key sharing apparatus 102. The processescarried out by the respective key sharing apparatuses 102 are the same.However, in order to facilitate understanding of the background of thetheory of the present invention, the respective processes are to beexplained sequentially.

It is assumed as a premise that both of the key sharing apparatuses 102share a public key X which belongs to GF(n). This public key X may beopen to others.

For easier understanding, specific values will be employed in theexplanation below. For example, let it be assumed thatn=2²⁰⁰=1606938044258990275541962092341162602522202993782792835301376,and X=123.

In the first key sharing apparatus 102, the integer obtaining unit 103obtains an integer p which is equal to or larger than 2, and smallerthan n (step S301). For example, let it be assumed that “251” isselected as p (p=251).

Then, the transmission key calculation unit 104 calculates atransmission key YεGF(n) using the obtained integer p based onY=T(p, X)(step S302). When using the above described values, the calculationresults in thatY=1051937263758371990097586384146037381059241137335343438748379.

Then, the transmission key sending unit 105 sends the calculatedtransmission key Y to the second key sharing apparatus 102 (step S303).

Likewise in the second key sharing apparatus 102, the integer obtainingunit 103 obtains an integer q which is equal to or larger than 2, andsmaller than n (same as step S301). For example, let it be assumed thatq=127.

The transmission key calculation unit 104 calculates a transmission keyWεGF(n) using the obtained integer q based onW=T(q, X)(same as step S302). When using the above specified values, thecalculation results in thatW=389805704436066900356221107082190652128452589999625926802555.

Then, the transmission key sending unit 105 sends the calculatedtransmission key W to the first key sharing apparatus 102 (same as stepS303).

Thus, the respective key sharing apparatuses obtain the integers p andq, calculate the values Y and W respectively, and send the calculatedvalues to the other.

The transmission key reception unit 106 of the first key sharingapparatus 102 receives the transmission key W sent from the second keysharing apparatus 102 (step S304).

Then, the common key calculation unit 107 calculates a common keyZεGF(n) using the received transmission key W based onZ=T(p, W)step S305). In this example, this calculation results in thatZ=1209219195210417873778621423700158842142848251849230516156.

On the other hand, the transmission key reception unit 106 of the secondkey sharing apparatus 102 receives the transmission key Y sent from thefirst key sharing apparatus 102 (same as step S304).

The common key calculation unit 107 calculates a common key Z′εGF(n)using the received transmission key Y based onZ′=T(q, Y)(same as step S305). In this example, the calculation results in thatZ′=1209219195210417873778621423700158842142848251849230516156.That is, it is turned out that Z=Z′.

Note that a Chebyshev polynomial has a characteristic described below.S(p, S(q, x))=S(q, S(p, x))=S(pq, x)

Accordingly, a polynomial T(•, •) which is obtained by moving theChebyshev polynomial into the Galois finite field GF(n), has a similarcharacteristic as follows.T(p, T(q, x))=T(q, T(p, x))=T(pq, x)

Since it is satisfied that:Z=T(p, W); Y=T(p, X);Z′=T(q, Y); and W=T(q, X),it can be true that:Z=T(p, W)=T(p, T(q, X))=T(pq, X); andZ′=T(q, Y)=T(q, T(p, X))=T(pq, X).

Accordingly, it is satisfied thatZ=Z′.

As a result of the above calculations, the two key sharing apparatuses102 share the key Z=Z′ which exists in the Galois finite field GF(n).

When the common key is shared between the key sharing apparatuses 102 asdescribed above, the next step will be transmission of a message whichis encrypted using this common key. The following explanation willconsider a case where an encrypted message is sent from the first keysharing apparatus 102 to the second key sharing apparatus 102.

As shown in FIG. 1, the first key sharing apparatus 102 furthercomprises an encryption unit 111, and an encrypted message sending unit112.

On the other hand, the second key sharing apparatus 102 furthercomprises an encrypted message reception unit 121, and a decryption unit122.

FIG. 4 is a flowchart showing a flow of a process of an encryptionmethod performed by the first key sharing apparatus 102. FIG. 5 is aflowchart showing a flow of a process of a decryption method performedby the second key sharing apparatus 102. Each of those processes needsto be performed after the above explained key sharing method isexecuted, and thus a common key is shared between both of the keysharing apparatuses.

In the first key sharing apparatus 102, the encryption unit 111 obtainsan encrypted message by encrypting a message to be transmitted using thecalculated common key Z (step S401).

The encrypted message sending unit 112 sends the encrypted message tothe second key sharing apparatus 102 (step S402).

In the second key sharing apparatus 102, the encrypted message receptionunit 121 receives the encrypted message sent from the first key sharingapparatus 102 (step S501).

Then, the decryption unit 122 decrypts the received encrypted messageusing the calculated common key Z′, and thus obtains the message to betransmitted (step S502).

Various known techniques can be applied in the encryption and decryptionprocesses using the common key Z=Z′.

Values taken by the Chebyshev polynomial T(•, •) show a chaoticbehavior. Therefore, even if the message transmitted between both of thekey sharing apparatuses 102 is seen, it is extremely hard to guess thecommon key Z=Z′. Accordingly, the above described sharing of the key andtransmission of the message are safe, and there is very low possibilitythat the message is improperly deciphered. Thus, secure sharing of a keyand secure transmission of a message can be realized.

Second Embodiment

According to the above described first embodiment, it is possible toshare a secret key between the two key sharing apparatuses 102. Thepresent embodiment is the expanded version of the above embodiment. Thatis, the present embodiment will disclose another key sharing systemwherein a key is shared among N (N≧2) number of key sharing apparatusesM₀, M_(i), . . . , M_(N−1).

FIG. 6 is an exemplary diagram showing a schematic structure of each keysharing apparatus M_(i) (0≦i≦N−1) according to the present embodiment.FIG. 7 is a flowchart showing a flow of a process of a key sharingmethod performed by each key sharing apparatus M_(i) (0≦i≦N−1). Thefollowing explanation will be made with reference to those drawings.

A key sharing apparatus M₁ 601 comprises an integer obtaining unit 602,an initial transmission key calculation unit 603, an initialtransmission key sending unit 604, a transmission key reception unit605, a common key calculation unit 606, an intermediate transmission keycalculation unit 607, and an intermediate transmission key sending unit608.

Likewise the first embodiment, it is assumed that each key sharingapparatus M₁ 601 acquires a public key X.

The integer obtaining unit 602 obtains an integer p_(i) which is equalto or larger than 2, and smaller than n (step S701).

The initial transmission key calculation unit 603 calculates atransmission key Y_(i) using the obtained integer p_(i) based onY _(i) =T(p _(i) , X)(step S702).

Then, the initial transmission key sending unit 604 sends the calculatedtransmission key Y_(i) and polynomial application informationrepresenting that only this instant key sharing apparatus M₁ 601 appliesthe polynomial thereby to calculate the transmission key Y_(i), toanother key sharing apparatus 601 among the plurality of key sharingapparatuses 601 (step S703).

If the polynomial application information is represented as a set, theentire information to be sent can be represented as (Y_(i), {i}).

The transmission key reception unit 605 receives a transmission keyW_(i)εGF(n), and polynomial application information I regarding thetransmission key W_(i)εGF(n), from any one of the plurality of keysharing apparatuses 601 (step S704). That is, the received informationis (W_(i), I).

The key sharing apparatus M₁ 601 determines whether the receivedpolynomial application information represents or not that all the keysharing apparatuses 601 among the plurality of key sharing apparatuses601 except the key sharing apparatus M₁ 601 have applied the polynomial(step S705). That is, the key sharing apparatus M₁ 601 determineswhether or not I={0, 1, 2, . . . , i−1, i+1, i+2, . . . , N−2, N−1}.

In a case where the polynomial application information represents so(step S705; Yes), the common key calculation unit 606 calculates acommon key Z_(i) using the obtained integer p_(i) and the receivedtransmission key W_(i) based onZ _(i) =T(p _(i) , W _(i))(step S706).

On the contrary, in a case where the polynomial application informationdoes not represent so (step S705; No), the key sharing apparatus M_(i)601 further determines whether or not the polynomial has been applied bythe key sharing apparatus M_(i) 601 itself, i.e., whether or not i isincluded in I (step S707).

In a case where i is not included in I (step S707; No), the intermediatetransmission key calculation unit 607 calculates a transmission keyV_(i) using the obtained integer p_(i) and the received transmission keyW_(i) based onV _(i) =T(p _(i) , W _(i))(step S708).

Then, the intermediate transmission key sending unit 608 sends toanother key sharing apparatus 601 among the plurality of key sharingapparatuses 601, the calculated transmission key V_(i) and the receivedpolynomial application information to which information representingthat the key sharing apparatus M_(i) 601 has applied the polynomial, isadded (step S709). Then, the flow returns to step S704.

Accordingly, the respective key sharing apparatuses 601 obtain thecommon key Z according to the key sharing method of the presentembodiment. Specifically, the respective key sharing apparatuses 601obtain the common key Z by applying functions T(p₀, •), T(p₁, •), . . ., T(P_(N−1), •) to the public key X in various orders. Since T(•, •) hasthe above described characteristic, it can be the thatZ ₀ =Z ₁ = . . . =Z _(N−1) =T(p ₀ p ₁ . . . p _(N−1) , X)likewise the first embodiment. Therefore, each key sharing apparatus 601obtains the same calculation result, and thus can share a secret key.

In the present embodiment, it can be so set that every key sharingapparatus 601 sends the transmission key and the polynomial applicationinformation to the adjacent apparatus 601. FIG. 8 is an explanatorydiagram for explaining the transmission and reception of thetransmission key, etc.

Each of the initial transmission key sending unit 604 and intermediatetransmission key sending unit 608 of the key sharing apparatus M_(i) 601sends a transmission key and polynomial application information to thekey sharing apparatus M_((i+1) mod N) 601.

The transmission key reception unit 605 of the key sharing apparatusM_(i) 601 receives a transmission key and polynomial applicationinformation from the key sharing apparatus M_((i−1) mod N) 601.

As shown in FIG. 8, the transmission key, etc. are transmitted andreceived in a circle. If the transmission and reception aresynchronously performed, every key sharing apparatus 601 can obtain acommon key after the transmission and reception are repeated “N−1”number of times. In this case, “how many times the transmission andreception of the transmission key to and from an adjacent apparatus havebeen repeated” can be used as the polynomial application information.

After a common key can be shared among the key sharing apparatuses 601in this way, a message can be securely transmitted using this key,likewise the first embodiment. Such a message transmission process isthe same as that explained with reference to FIG. 4 and FIG. 5.

For example, a case where a message is sent from a key sharing apparatusM_(s) (0≦s≦N−1) 601 to a key sharing apparatus M_(t) (0≦t≦N−1, t≠s) 601,will be considered.

The key sharing apparatus M_(s) 601 further comprises an encryptionunit, and an encrypted message sending unit (same as FIG. 1, thus notillustrated).

On the other hand, the key sharing apparatus M_(t) 601 further comprisesan encrypted message reception unit and a decryption unit (same as FIG.1, thus not illustrated).

The encryption unit of the key sharing apparatus M_(s) 601 obtains anencrypted message by encrypting a message to be transmitted using acalculated common key Z_(s) (corresponding to step S401). The encryptedmessage sending unit sends the encrypted message to the key sharingapparatus M_(t) (corresponding to step S402).

The encrypted message reception unit of the key sharing apparatus M_(t)601 receives the encrypted message sent from the key sharing apparatusM_(s) 601 (corresponding to step S501). Then, the decryption unitdecrypts the received encrypted message using the calculated common keyZ_(t), and obtains the message to be transmitted (corresponding to stepS502).

As described above, sharing of a key and transmission of a message canbe securely performed by an arbitrary (equal to or larger than 2) numberof key sharing apparatuses, likewise the first embodiment.

In either of the above described key sharing systems, the integer n canbe defined asn=c^(m)where c is a prime number, and m is an integer equal to or larger than2. With such limitation of GF(n), an effect can be obtained that afinite field consisting of n number of elements, which is unique to n(which is set exclusively for n), is obtained.

Third Embodiment

Also in a public key cryptosystem according to the present embodiment, amessage sent from an encryption apparatus will be decrypted in adecryption apparatus using GF(n) and T(•, •), likewise the abovedescribed embodiments. In the public key cryptosystem according to thepresent embodiment, a public key will be created by the decryptionapparatus.

FIG. 9 is an exemplary diagram showing a schematic structure of thepublic key cryptosystem according to the present embodiment. Thefollowing explanation will be made with reference to this drawing.

A public key cryptosystem 901 comprises a decryption apparatus 931 andan encryption apparatus 951.

The decryption apparatus 931 comprises a secret key obtaining unit 932,a natural number obtaining unit 933, a public key calculation unit 934,a public key disclosing unit 935, an encrypted message reception unit936, and a decryption unit 937.

The encryption apparatus 951 comprises a public key reception unit 952,an encryption unit 953, and an encrypted message sending unit 954.

FIG. 10 is a flowchart showing a flow of a process of a decryptionmethod performed by the decryption apparatus 931. FIG. 11 is a flowchartshowing a flow of a process of an encryption method performed by theencryption apparatus 951. The following explanation will be made withreference to those drawings.

In the decryption apparatus 931, the secret key obtaining unit 932obtains a secret key p, which is an integer equal to or larger than 2(step S1001).

Then, the natural number obtaining unit 933 obtains a natural number kwhich is prime to “p−1” (where p is the secret key), and equal to orlarger than 2 (step S1002).

The public key calculation unit 934 calculates a public key YεGF(n)using the secret key p and a public key X based onY=T(p, X)(step S1003).

The public key disclosing unit 935 discloses the natural number k andthe public key Y to the encryption apparatus 951 (step S1004).

In the encryption apparatus 951, the public key reception unit 952receives the natural number k and public key Y disclosed by thedecryption apparatus 931 (step S1101).

Then, the encryption unit 953 calculates an encrypted message (a, b)using a message mεGF(n) based ona=T(k, X)b=mT(k, Y)mod n(step S1102).

The encrypted message sending unit 954 sends the encrypted message (a,b) to the decryption apparatus 931 (step S1103).

In the decryption apparatus 931, the encrypted message reception unit936 receives the encrypted message (a, b) sent from the encryptionapparatus 951 (step S1005). The decryption unit 937 calculates a messagem′εGF(n) using the secret key p and the received encrypted message (a,b) based onm′=b/T(p, a)mod n(step S1006).

It can be proved that m=m′ from the characteristic of the function T(•,•) as described in the first and second embodiments.

In the present embodiment, the encryption apparatus 951 and thedecryption apparatus 931 can use a predetermined hash function H(•) andits inverse function when encrypting/decrypting the message. A casewhere a hash function H(•) and its inverse function are used will beexplained below.

In this case, the encryption apparatus 951 further comprises a messagereception unit (not illustrated) and a hash calculation unit (notillustrated).

The decryption apparatus 931 further comprises a message obtaining unit(not illustrated).

In the encryption apparatus 951, the message reception unit receives amessage M to be transmitted. Then, the hash calculation unit obtains(calculates) a message m using the received message M and a hashfunction H(•) for mapping the message M over GF(n) based onm=H(M).

On the other hand, in the decryption apparatus 931, the messageobtaining unit obtains a message M′ to be transmitted using the obtainedmessage m′ and an inverse function H⁻¹(•) of the hash function H(•)based onM′=H ⁻¹(m′).

For the above hash function H(•), a one-way function whose inversefunction is difficult to calculate, and which transforms an inputmessage into a pseudo random bit stream having a fixed length of bits,can be used. Known hash functions such as MD5 (128 bit hash), SHA (160bit hash), etc. can be used as such a function.

Fourth Embodiment

A signature system of the present embodiment will employ the basic ideasof the key sharing systems and public key cryptosystem described in thefirst to third embodiment. GF(n) and T(•, •) will also be used in thepresent embodiment.

FIG. 12 is an exemplary diagram showing a schematic structure of asignature system according to the present embodiment. The followingexplanation will be made with reference to this drawing.

A signature system 1201 comprises a signature apparatus 1231 and anauthentication apparatus 1251. The authentication apparatus 1251 checkswhether a signature included in a message is affixed by the signatureapparatus 1231 or not.

It is assumed that each of the signature apparatus 1231 and theauthentication apparatus 1251 obtains a lowest positive integer n* whichsatisfiesT(b+n*, U)=T(b, U)where b is an arbitrary positive integer, and U is an arbitrary integer(UεGF(n)).

The signature apparatus 1231 comprises an integer selection unit 1232, apublic key calculation unit 1233, a public key disclosing unit 1234, asignature unit 1235, and a signature-affixed message sending unit 1236.

The authentication apparatus 1251 comprises a public key reception unit1252, a signature-affixed message reception unit 1253, a parametercalculation unit 1254, and an authentication unit 1255.

FIG. 13 is a flowchart showing a flow of a process of a signature methodperformed by the signature apparatus 1231. FIG. 14 is a flowchartshowing a flow of a process of an authentication method performed by theauthentication apparatus 1251. The following explanation will be madewith reference to those drawings.

In the signature apparatus 1231, the integer selection unit 1232 selectsan integer p (2≦p<min(n*, n−1)), and an integer k (2≦k<min(n*, n−1),k≠p) (step S1301).

Then, the public key calculation unit 1233 calculates a public keyYεGF(n) using the integer p based onY=T(p, X)(step S1302).

The public key disclosing unit 1234 discloses the public key Y to theauthentication apparatus 1251 (step S1303).

The signature unit 1235 calculates a signature-affixed message (r, s, m)using a message m (mεGF(n)) based onr=T(k, X)s=(m+pr)/k mod n(step S1304).

Then, the signature apparatus determines whether or not it is true thats=0 (step S1305). In a case where it is true (step S1305; Yes), the flowreturns to step S1301 in order to reselect one or both of the integers pand k. In a case where the public key Y, which is calculated using apre-selected integer p, has already been disclosed, it is preferred thatonly the integer k be reselected. This is because the authenticationapparatus 1251 can use the public key Y, in a case where it has alreadyreceived it, without the need to perform data communication twice.

In a case where s≠0, the signature-affixed message sending unit 1236sends the signature-affixed message (r, s, m) to the authenticationapparatus 1251 (step S1306).

On the other hand, in the authentication apparatus 1251, the public keyreception unit 1252 receives the public key Y disclosed by the signatureapparatus 1231 (step S1401).

The signature-affixed message reception unit 1253 receives thesignature-affixed message (r, s, m) sent from the signature apparatus1231 (step S1402).

The parameter calculation unit 1254 calculates the following parametersw=1/s mod n.u ₁ =mw mod n*u ₂ =rw mod n*v=T(u ₁ /+u ₂ , Y)using the received public key Y and the received signature-affixedmessage (r, s, m) (step S1403).

Then, the authentication unit 1255 determines whether or not it is truethat r=v, where v is the calculated parameter, and r is an element ofthe signature-affixed message (r, s, m) (step S1404). In a case where itis true that r=v, the signature-affixed message (r, s, m) issuccessfully authenticated by the authentication unit 1255 (step S1405).In a case where it is not, the message (r, s, m) is not successfullyauthenticated (step S1406).

Likewise the third embodiment, the signature apparatus 1231 and theauthentication apparatus 1251 may use a hash function H(•) and itsinverse function, in order to hash the message.

In this case, the signature apparatus 1231 further comprises a messagereception unit and a hash calculation unit (not illustrated), and theauthentication apparatus 1251 further comprises a message obtaining unit(not illustrated).

In the signature apparatus 1231, the message reception unit receives amessage M to be transmitted. Then, the hash calculation unit calculatesa message m using the received message M and a hash function H(•) formapping the message M over GF(n) based onm=H(M).

On the other hand, in the authentication apparatus 1251, the messageobtaining unit obtains the message M to be transmitted using thesignature-affixed message (r, s, m) and an inverse function H⁻¹(•) ofthe hash function H(•) based onM=H ⁻¹(m).

In this way, the authentication apparatus 1251 can authenticate thesignature affixed to the hashed message, thus can check the true senderof the message.

As described above, according to the present invention, it is possibleto provide a key sharing system, a public key cryptosystem, a signaturesystem, a key sharing apparatus, an encryption apparatus, a decryptionapparatus, a signature apparatus, an authentication apparatus, a keysharing method, an encryption method, a decryption method, a signaturemethod, an authentication method, and programs for controlling computersto act as the above apparatuses.

Various embodiments and changes may be made thereunto without departingfrom the broad spirit and scope of the invention. The above-describedembodiments are intended to illustrate the present invention, not tolimit the scope of the present invention. The scope of the presentinvention is shown by the attached claims rather than the embodiments.Various modifications made within the meaning of an equivalent of theclaims of the invention and within the claims are to be regarded to bein the scope of the present invention.

This application is based on Japanese Patent Application No. 2001-188446filed on Jun. 21, 2001 and including specification, claims, drawings andsummary. The disclosure of the above Japanese Patent Application isincorporated herein by reference in its entirety.

1. A key sharing system for enabling a first key sharing apparatus and asecond key sharing apparatus to share a key, using a public key XεGF(n)which belongs to a Galois finite field GF(n) for an integer n (n≧2), andwhich is equal to or larger than 2 and smaller than n, and a polynomialT(•, •) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and said first keysharing apparatus and said second key sharing apparatus are connectedwith each other via a computer network, wherein: (a) said first keysharing apparatus comprises an integer obtaining unit which obtains aninteger p which is equal to or larger than 2, and smaller than n, atransmission key calculation unit which calculates a transmission keyYεGF(n) using the obtained integer p based on the following equationY=T(p, X), and a transmission key sending unit which sends thecalculated transmission key Y to said second key sharing apparatus via acomputer network; (b) said second key sharing apparatus comprises aninteger obtaining unit which obtains an integer p which is equal to orlarger than 2, and smaller than n, a transmission key calculation unitwhich calculates a transmission key YεGF(n) using the obtained integer pbased on the following equationW=T(q, X), and a transmission key sending unit which sends thecalculated transmission key W to said first key sharing apparatus via acomputer network; (c) said first key sharing apparatus further comprisesa transmission key reception unit which receives the transmission key Wsent from said second key sharing apparatus via a computer network, anda common key calculation unit which calculates a common key ZεGF(n)using the received transmission key W based on the following equationZ=T(p, W); and (d) said second key sharing apparatus further comprises atransmission key reception unit which receives the transmission key Ysent from said first key sharing apparatus via a computer network, and acommon key calculation unit which calculates a common key Z′εGF(n) usingthe received transmission key Y based on the following equationZ′=T(q, Y).
 2. The key sharing system according to claim 1, wherein: (e)said first key sharing apparatus further comprises an encryption unitwhich encrypts a message to be transmitted using the calculated commonkey Z to obtain an encrypted message, and an encrypted message sendingunit which sends the encrypted message to said second key sharingapparatus; and (f) said second key sharing apparatus further comprisesan encrypted message reception unit which receives the encrypted messagesent from said first key sharing apparatus, and a decryption unit whichdecrypts the received encrypted message using the calculated common keyZ′ to obtain the message to be transmitted.
 3. A key sharing system forenabling a key to be shared among N (N≧2) number of key sharingapparatuses M₀, M_(i), . . . , M_(N−1), using a public key XεGF(n) whichbelongs to a Galois finite field GF(n) for an integer n (n≧2), and whichis equal to or larger than 2 and smaller than n, and a polynomial T(•,•) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and said key sharingapparatus are connected with each other via a computer network, andwherein said key sharing apparatus M_(i) (0≦i≦N−1) comprises: an integerobtaining unit which obtains an integer p_(i) which is equal to orlarger than 2 and smaller than n; an initial transmission keycalculation unit which calculates a transmission key Y_(i) using theobtained integer p_(i) based on the following equationY _(i) =T(p _(i) , X); an initial transmission key sending unit whichsends the calculated transmission key Y_(i) and polynomial applicationinformation representing that only said key sharing apparatus M_(i)applies the polynomial to obtain the transmission key Y_(i), to anotherkey sharing apparatus among said plurality of key sharing apparatusesvia a computer network; a transmission key reception unit which receivesa transmission key W_(i)εGF(n) and polynomial application informationregarding the transmission key W_(i)εGF(n), from another key sharingapparatus among said plurality of key sharing apparatuses via a computernetwork; a common key calculation unit which calculates a common keyZ_(i) using the obtained integer p_(i) and the received transmission keyW_(i) based on the following equationZ _(i) =T(p _(i) , W _(i)), in a case where the received polynomialapplication information represents that all said key sharing apparatusesamong said plurality of key sharing apparatuses except said key sharingapparatus M_(i) have applied the polynomial; an intermediatetransmission key calculation unit which calculates a transmission keyV_(i) using the obtained integer p_(i) and the received transmission keyW_(i) based on the following equationV _(i) =T(p _(i) , W _(i)), in a case where the received polynomialinformation does not represent so; and an intermediate transmission keysending unit which sends the calculated transmission key V_(i) and thereceived polynomial application information to which informationrepresenting that said key sharing apparatus M_(i) has applied thepolynomial is added, to another key sharing apparatus among saidplurality of key sharing apparatus via a computer network.
 4. The keysharing system according to claim 3, wherein: each of said initialtransmission key sending unit and intermediate transmission key sendingunit of said key sharing apparatus M_(i) sends the transmission key andthe polynomial application information to a key sharing apparatusM_((i+1)mod N); and said transmission key reception unit of said keysharing apparatus M_(i) receives the transmission key and the polynomialapplication information from a key sharing apparatus M_((i−1)mod N). 5.The key sharing system according to claim 3, wherein in a key sharingapparatus M_(s) (0≦s≦N−1) and key sharing apparatus M_(t) (0≦t≦N−1, t≠s)among said plurality of key sharing apparatuses: (e) said key sharingapparatus M_(s) further comprises an encryption unit which encrypts amessage to be transmitted using the calculated common key Z_(s) toobtain an encrypted message, and an encrypted message sending unit whichsends the encrypted message to said key sharing apparatus M_(t); and (f)said key sharing apparatus M_(t) further comprises an encrypted messagereception unit which receives the encrypted message sent from said keysharing apparatus M_(s), and a decryption unit which decrypts thereceived encrypted message using the calculated common key Z_(t) toobtain the message to be transmitted.
 6. The key sharing systemaccording to claim 1, wherein the integer n is defined asn=c^(m) where c is a prime number, and m is an integer equal to orlarger than
 2. 7. A key sharing apparatus, using a public key XεGF(n)which belongs to a Galois finite field GF(n) for an integer n (n≧2), andwhich is equal to or larger than 2 and smaller than n, and a polynomialT(•, •) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and said key sharingapparatus being connected with another key sharing apparatus via acomputer network, comprising: an integer obtaining unit which obtains aninteger p which is equal to or larger than 2, and smaller than n; atransmission key calculation unit which calculates a transmission keyYεGF(n) using the obtained integer p based on the following equationY=T(p, X); a transmission key sending unit which sends the calculatedtransmission key Y to said another key sharing apparatus via a computernetwork; a transmission key reception unit which receives a transmissionkey W from said another key sharing apparatus via a computer network;and a common key calculation unit which calculates a common key ZεGF(n)using the received transmission key W based on the following equationZ=T(p, W).
 8. A key sharing apparatus, using a public key XεGF(n) whichbelongs to a Galois finite field GF(n) for an integer n (n≧2), and whichis equal equal to or larger than 2 and smaller than n, and a polynomialT(•, •) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and said key sharingapparatus being connected with another key sharing apparatus via acomputer network, comprising: an integer obtaining unit which obtains aninteger q which is equal to or larger than 2, and smaller than n; atransmission key calculation unit which calculates a transmission keyWεGF(n) using the obtained integer q based on the following equationW=T(q, X); a transmission key sending unit which sends the calculatedtransmission key W to said another key sharing apparatus via a computernetwork; a transmission key reception unit which receives a transmissionkey Y from said another key sharing apparatus via a computer network;and a common key calculation unit which calculates a common key Z′εGF(n)using the received transmission key Y based on the following equationZ′=T(q, Y).
 9. A key sharing apparatus, using a public key XεGF(n) whichbelongs to a Galois finite field GF(n) for an integer n (n≧2), and whichis equal to or larger than 2 and smaller than n, and a polynomial T(•,•) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), said key sharingapparatus being connected with other key sharing apparatus via acomputer network, said key sharing apparatus comprising: an integerobtaining unit which obtains an integer p which is equal to or largerthan 2 and smaller than n; an initial transmission key calculation unitwhich calculates a transmission key Y using the obtained integer p basedon the following equationY=T(p, X); an initial transmission key sending unit which sends thecalculated transmission key Y and polynomial application informationrepresenting that only said key sharing apparatus applies the polynomialto obtain the transmission key Y, to another key sharing apparatus via acomputer network; a transmission key reception unit which receives atransmission key WεGF(n) and polynomial application informationregarding the transmission key WεGF(n), from another of said other keysharing apparatus via a computer network; a common key calculation unitwhich calculates a common key Z using the obtained integer p and thereceived transmission key W based on the following equationZ=T(p, W), in a case where the received polynomial applicationinformation represents that all key sharing apparatuses except said keysharing apparatus have applied the polynomial; an intermediatetransmission key calculation unit which calculates a transmission key Vusing the obtained integer p and the received transmission key W basedon the following equationV=T(p, W), in a case where the received polynomial information does notrepresent so; and an intermediate transmission key sending unit whichsends the calculated transmission key V and the received polynomialapplication information to which information representing that said keysharing apparatus has applied the polynomial is added, to said one ofsaid other key sharing apparatus via a computer network.
 10. A keysharing method using a public key XεGF(n) which belongs to a Galoisfinite field GF(n) for an integer n (n≧2), and which is equal to orlarger than 2 and smaller than n, and a polynomial T(•, •) which isdefined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), said method comprising:an integer obtaining step of obtaining an integer p which is equal to orlarger than 2, and smaller than n; a transmission key calculating stepof calculating a transmission key YεGF(n) using the obtained integer p,based on the following equationY=T(p, X); a transmission key sending step of sending the calculatedtransmission key Y to another key sharing apparatus via a computernetwork; a transmission key receiving step of receiving a transmissionkey W sent from the another key sharing apparatus via a computernetwork; and a common key calculating step of calculating a common keyZεGF(n) using the received transmission key W, based on the followingequationZ=T(p, W).
 11. A key sharing method using a public key XεGF(n) whichbelongs to a Galois finite field GF(n) for an integer n (n≧2), and whichis equal to or larger than 2 and smaller than n, and a polynomial T(•,•) which is defined in the Galois finite field GF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), said method comprising:an integer obtaining step of obtaining an integer q which is equal to orlarger than 2, and smaller than n; a transmission key calculating stepof calculating a transmission key WεGF(n) using the obtained integer q,based on the following equationW=T(q, X); a transmission key sending step of sending the calculatedtransmission key W to another key sharing apparatus via a computernetwork; a transmission key receiving step of receiving a transmissionkey Y sent from the another key sharing apparatus via a computernetwork; and a common key calculating step of calculating a common keyZ′εGF(n) using the received transmission key Y, based on the followingequationZ′=T(q, Y).
 12. The key sharing method according to claim 10 or 11,further comprising: a encrypting step of encrypting a message to betransmitted using the calculated common key Z, to obtain an encryptedmessage; and an encrypted message sending step of sending the encryptedmessage to the another key sharing apparatus via a computer network. 13.The key sharing method according to claim 10 or 11, further comprising:an encrypted message receiving step of receiving an encrypted messagesent from the another key sharing apparatus via a computer network; anda decrypting step of decrypting the received encrypted message using thecalculated common key Z′, to obtain a message to be transmitted.
 14. Akey sharing method which enables a key to be shared among N (N≧2) numberof key sharing apparatuses M₀, M_(i), . . . , M_(N−1), which areconnected with each other via a computer network, with use of a publickey XεGF(n) which belongs to a Galois finite field GF(n) for an integern (n≧2), and which is equal to or larger than 2 and smaller than n, anda polynomial T(•, •) which is defined in the Galois finite field GF(n)byT(a, x)≡S(a, x)mod n where S(108 , •) is a Chebyshev polynomial definedbyS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and [2] which isperformed by said key sharing apparatus M_(i) (0≦i≦N−1), said methodcomprising: an integer obtaining step of obtaining an integer p_(i)which is equal to or larger than 2, and smaller than n; an initialtransmission key calculating step of calculating a transmission keyY_(i), using the obtained integer p_(i), based on the following equationY _(i=T)(p _(i) , X); an initial transmission key sending step ofsending the calculated transmission key Y_(i), and polynomialapplication information representing that only said key sharingapparatus M_(i) has applied the polynomial to calculate the transmissionkey Y_(i), to another key sharing apparatus among said plurality of keysharing apparatuses via a computer network; a transmission key receivingstep of receiving a transmission key W_(i)εGF(n) and polynomialapplication information regarding the transmission key W_(i)εGF(n), fromanother key sharing apparatus among said plurality of key sharingapparatuses via said computer network, a common key calculating step ofcalculating a common key Z_(i), using the obtained integer p_(i) and thereceived transmission key W_(i), based on the following equationZ _(i) =T(p _(i) , W _(i)) in a case where the received polynomialapplication information represents that all said key sharing apparatusesamong said plurality of key sharing apparatuses except said key sharingapparatus M_(i) have applied the polynomial; an intermediatetransmission key calculating step of calculating a transmission keyV_(i), using the obtained integer p_(i) and the received transmissionkey W_(i), based on the following equationV _(i) =T(p _(i) , W _(i)) in a case where the received polynomialapplication information does not represent so; and an intermediatetransmission key sending step of sending the calculated transmission keyV_(i) and the received polynomial application information to whichinformation representing that said key sharing apparatus M_(i) hasapplied the polynomial is added, to another key sharing apparatus amongsaid plurality of key sharing apparatus via said computer network. 15.The key sharing method according to claim 14, wherein: in each of saidinitial transmission key sending step and intermediate transmission keysending step, the transmission key and the polynomial applicationinformation are sent to a key sharing apparatus M_((1+1)mod N), via saidcomputer network, in said transmission key receiving step, thetransmission key and the polynomial application information are receivedfrom a key sharing apparatus M_((i−1)mod N) via said computer network.16. The key sharing method according to claim 14, which is performed bya key sharing apparatus M_(s) (0≦s≦N−1) when a message is sent from saidkey sharing apparatus M_(s) to a key sharing apparatus M_(t) (0≦t≦N−1,t≠s) among said plurality of key sharing apparatuses, said methodfurther comprising: an encrypting step of encrypting a message to betransmitted using the calculated common key Z_(s), to obtain anencrypted message; and an encrypted message sending step of sending theencrypted message to said key sharing apparatus M_(t) via said computernetwork.
 17. The key sharing method according to claim 14, which isperformed by a key sharing apparatus M_(t) (0≦t≦N−1) when a message issent from a key sharing apparatus M_(s) (0≦s≦N−1, s≠t) to said keysharing apparatus M_(t) among said plurality of key sharing apparatuses,said method further comprising: an encrypted message receiving step ofreceiving an encrypted message sent from said key sharing apparatusM_(s) via said computer network; and a decrypting step of decrypting thereceived encrypted message using the calculated common key Z_(t), toobtain a message to be transmitted.
 18. The key sharing method accordingto any one of claims 10 to 17, wherein the integer n is defined asn=c^(m) where c is a prime number, and m is an integer equal to orlarger than
 2. 19. A program product stored on a computer, using apublic key XεGF(n) which belongs to a Galois finite field GF(n) for aninteger n (n≧2), and which is equal to or larger than 2 and smaller thann, and a polynomial T(•, •) which is defined in the Galois finite fieldGF(n) byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and controlling acomputer to function as a key sharing apparatus which comprises: aninteger obtaining unit which obtains an integer p which is equal to orlarger than 2, and smaller than n; a transmission key calculation unitwhich calculates a transmission key YεGF(n) using the obtained integer pbased on the following equationY=T(p, X); a transmission key sending unit which sends the calculatedtransmission key Y to another key sharing apparatus via a computernetwork; a transmission key reception unit which receives a transmissionkey W from said another key sharing apparatus via a computer network;and a common key calculation unit which calculates a common key ZεGF(n)using the received transmission key W based on the following equationZ=T(p, W).
 20. A program product stored on a computer, using a publickey XεGF(n) which belongs to a Galois finite field GF(n) for an integern (n≧2), and which is equal to or larger than 2 and smaller than n, anda polynomial T(•, •) which is defined in the Galois finite field GF(n)byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and controlling acomputer to function as a key sharing apparatus which comprises: aninteger obtaining unit which obtains an integer q which is equal to orlarger than 2, and smaller than n; a transmission key calculation unitwhich calculates a transmission key WεGF(n) using the obtained integer qbased on the following equationW=T(q, X); a transmission key sending unit which sends the calculatedtransmission key W to another key sharing apparatus via a computernetwork; a transmission key reception unit which receives a transmissionkey Y from said another key sharing apparatus via said computer network;and a common key calculation unit which calculates a common key Z′εGF(n)using the received transmission key Y based on the following equationZ′=T(q, Y).
 21. A program product stored on a computer, using a publickey XεGF(n) which belongs to a Galois finite field GF(n) for an integern (n≧2), and which is equal to or larger than 2 and smaller than n, anda polynomial T(•, •) which is defined in the Galois finite field GF(n)byT(a, x)≡S(a, x)mod n where S(•, •) is a Chebyshev polynomial defined byS(a, cos θ)=cos(aθ) where a is an integer (a≧2), and controlling acomputer to function as a key sharing apparatus which comprises: aninteger obtaining unit which obtains an integer p which is equal to orlarger than 2 and smaller than n; an initial transmission keycalculation unit which calculates a transmission key Y using theobtained integer p based on the following equationY=T(p, X); an initial transmission key sending unit which sends thecalculated transmission key Y and polynomial application informationrepresenting that only said key sharing apparatus applies the polynomialto obtain the transmission key Y, to another key sharing apparatus via acomputer network; a transmission key reception unit which receives atransmission key WεGF(n) and polynomial application informationregarding the transmission key WεGF(n), from another key sharingapparatus via said computer network; a common key calculation unit whichcalculates a common key Z using the obtained integer p and the receivedtransmission key W based on the following equationZ=T(p, W), in a case where the received polynomial applicationinformation represents that all key sharing apparatuses except said keysharing apparatus have applied the polynomial; an intermediatetransmission key calculation unit which calculates a transmission key Vusing the obtained integer p and the received transmission key W basedon the following equationV=T(p, W), in a case where the received polynomial information does notrepresent so; and an intermediate transmission key sending unit whichsends the calculated transmission key V and the received polynomialapplication information to which information representing that said keysharing apparatus has applied the polynomial is added, to another keysharing apparatus via said computer network.